Allow better control for discovery endpoints to use

[marchchad]

Checklist

• [X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

I'm setting up an express js API to verify tokens issued by a Keycloak v23 instance. Keycloak provides a /.well-known/openid-configuration endpoint but does not publish a /.well-known/oauth-autorization-server endpoint. When using the express-oauth2-jwt-bearer package, it took me reading the source code to see that the only way to use the package was to provide the full url to the well known endpoint so it could short circuit the asserts here: https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/access-token-jwt/src/discovery.ts#L31. Otherwise the package also attempts to fetch the oauth-authorization-server endpoint, which isn't available on Keycloak: https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/access-token-jwt/src/discovery.ts#L43-L47

Describe the ideal solution

There's multiple solutions to this problem:

• Improved documentation for use in different auth scenarios, such as OIDC only providers
• Configuration Option / Environment Variable to specify OIDC, OAUTH, or BOTH. Could even default to both, but provide option to only attempt to discovery of one of the 3 scenarios
• Don't fail initialization if both aren't available. Attempt discovery and verification of both endpoints, fail it both are unavailable, but log a warning if one of the two are not available

Alternatives and current workarounds

The current workaround is to specify the full URL to the /.well-known/openid-configuration endpoint. As far as I can tell, this configuration option is not documented.

Additional context

No response